How to examine the compromised Microsoft Virtual Server 2005 host server after a security breach

Have you had a Microsoft Virtual Server 2005 security breach? The following article will walk you through some steps to take before powering down a Virtual Server 2005 host for investigation.

Have you had a Microsoft Virtual Server 2005 security breach? The last article in this series explored virtual

machine log file monitoring. This article will walk you through some steps to take before powering down a Virtual Server 2005 host for investigation.

In an ideal world, one would be able to take a perfect snapshot or disk image of a compromised system. This may not always be possible. However, there are some actions that you should probably take before powering down a compromised system.

First, export all of the event logs in case you don't have an archive of them. You could use the "VS2005_evtlogbackup.vbs" script from the previous article to backup the event logs. However, before you do that and clear the event logs, you may want to export the events in an easy to read format categorized by event type. This is where the "VS2005_evtcollect.vbs" script comes in. This script will extract the events from a list of computers and output them in five separate html files, based on the event type. The script for this section is available for download here.

Then, open up the Virtual Server 2005 Administration page if you can and take a screen capture of the main page so you can view the recent events later. After these two steps have been taken, I would recommend gathering some additional information before shutting down any virtual machines that are running on the host or the host machine, itself.

This additional information can be gathered by using tools from Windows Sysinternals. The list of tools includes "accessenum.exe," "autoruns.exe(or autorunsc.exe)", "pendmoves.exe," and "logonsessions.exe." Accessenum.exe is a graphical tool that allows you to view who has access to items within a directory or registry key. When you download it from Windows Sysinternals, just run the executable and choose a directory or registry key to query. An example of both a directory listing and a registry key listing are in the figures below.

Autoruns.exe is a graphical tool that is used to display information about bootup and logon processes, as well as what order Widows processes them. An example of its output is shown in the figure below.

Autorunsc.exe is the command-line equivalent to autoruns.exe. It is useful for scripting and exporting the results to a comma-separated value (csv) file. It might be a good idea to run accessenum.exe and auroruns.exe when you first set up the Virtual Server 2005 Host machine and save the results in a safe place. Both of these utilities have a compare feature under the file menu that can be used to compare an original query file with current results. This might make it easier to locate differences or abnormalities.

Pendmoves.exe is a command-line utility used to view scheduled file renames and deletions for the next system boot. To run, simply type pendmoves in the directory where the utility is. An example of the output is seen in the figure below.

You never know what surprises a compromised system may have for you when you reboot. Pendmoves.exe may shed some light on any of these surprises.

Finally, logonsessions.exe is a command-line utility that will list active logon sessions. To run, simply type logonsessions in the directory where the utility is. Also if you use the –p switch then the utility will list the active processes under each session. An example of the output is listed in the figure below.

Autorunsc.exe, pendmoves.exe and logonsessions.exe are all command-line utilities. This means they are perfect for a script. This next script is nothing fancy. It is just a batch file called "incident_collect.bat."

To run it, simply put incident_collect.bat, autorunsc.exe, pendmoves.exe, and logonsessions.exe in the same folder. Then, run incident_collect.bat. This batch file will produce three files. They are autoruns.csv, logonsessions.txt, and pendmoves.txt. They are named for their respective tools. These files are simply the output of their respective commands. The batch file is listed below.

::====== ===BEGIN CODE===========
:: NAME: incident_collect.bat
:: AUTHOR: Harley Stagner   
:: DATE  : 9/2/2006
:: COMMENT: This script will run autorunsc.exe, 
::      pendmoves.exe, and logonsessions.exe with
::      the appropriate switches and will redirect the 
::      output to autoruns.csv,                       
::      logonsessions.txt and pendmoves.txt respectively.

autorunsc -a -c > autorun.csv

pendmoves > pendmoves.txt

logonsessions -p > logonsessions.txt

::==== ==== END CODE=============

You can, of course, redirect the output to any location by specifying a path (even a unc) after the redirection (>) character. You may want to collect this information on the host machine as well as any virtual machines that may be running on the host. Examining the output of these utilities will help you to determine what might be lurking on the host machine or any virtual machines before you shut them down.

Finally, before you shut down any virtual machines save their state and copy their folders to another location. Also, take an image of the Virtual Server 2005 host machine if possible. Now, you can install Virtual Server 2005 on another machine and perform a thorough forensic investigation on the affected virtual machines.

While complete forensic analysis is beyond the scope of this article, what you are looking for, in general, is anything (services, open ports, files) that are different from your baseline install of Virtual Server 2005 or any virtual machines that you build. You did establish a baseline, didn't you?

This was first published in February 2007

Dig deeper on Server virtualization risks and monitoring



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: